CVE-2025-24364

CVE-2025-24364 is an arbitrary code execution vulnerability affecting vaultwarden, an unofficial Bitwarden-compatible server written in Rust and formerly known as bitwarden_rs. The flaw exists in the vaultwarden admin panel, where an authenticated attacker can leverage improper handling of mail agent settings and favicon images to execute arbitrary system commands. It is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command, though contextually related to command injection) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impact.

An attacker requires authenticated access to the vaultwarden admin panel to exploit this vulnerability. The attack scenario involves modifying admin settings to configure sendmail as the mail agent while injecting a shell command, then crafting a malicious favicon image with embedded commands. Triggering the exploit, such as by sending a test email, causes the system to process the tampered favicon and execute the arbitrary code, potentially granting full system compromise.

The vulnerability was addressed in vaultwarden version 1.33.0. Security practitioners should update to this version or later. Additional details are available in the GitHub security advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h6cc-rc6q-23j4 and the release notes at https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.